HIPAA Compliance: EHR Incentives, Risk Assessment, and Penalties

Financial penalties for HIPAA violations. How real are they? How about a recent $4.3 million civil penalty faced by Cignet Health of Prince George’s County, Maryland; or the also recent $1 million settlement for Massachusetts General Hospital? Are those figures and outcomes real enough as you consider the value of HIPAA Compliance?

Included in the EHR and technology discussions so common in healthcare today are the well publicized HITECH incentives. These incentives are scheduled to be paid to eligible providers who are able to demonstrate compliance with meaningful use of their certified EHR system. And these EHR incentive payments are starting to be paid right about now for Medicare, and earlier this year for Medicaid. However, part of complying with meaningful use includes the completion of a HIPAA risk assessment either done by the medical provider, or by a qualified professional on the provider’s behalf. What’s more, this assessment is not just a one-time review showing that your EHR system and technology usage is HIPAA compliant; the meaningful use criteria requires periodic HIPAA risk assessments as well.

A HIPAA assessment must include both Privacy and Security Rules

Straight from Health and Human Services (HHS), HIPAA calls, “… for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. The Administrative Simplification Regulations have been developed to implement these statutory provisions.”

Within these provisions there are details that address the protecion of individuals’ medical records and other personal health information, be they paper or electronic, gives patients rights over their health information, and requires appropriate (1) administrative, (2) physical, and (3) technical safeguards … and more.

A few sample items included in a HIPAA privacy rule assessment include:

Privacy & Confidentiality

Notice of Privacy Practices

Disclosures

Employee Training

Access to PHI

Business Associate contracting activities and BA Agreements in use

A few sample items included in a HIPAA security rule assessment include:

As stated, these are just some samples to give a sense of what the Fed’s expectations are. We have a more extensive list, and additional information addressing what all is entailed when analyzing a healthcare organization’s compliance with HIPAA privacy and security rules elsewhere on this site that you may wish to review.

So whether you’re hoping to qualify for EHR incentives, want to do things right and comply with HIPAA regulations, or are just trying to avoid hefty penalties for infractions, it’s advisable to pursue a risk assessment … and to do it NOW if you haven’t already.

“We have worked with The Fox Group since the inception of our company. They have been instrumental in our expansion from service in one location to our current size, offering service in 20 different locations.”

R.W., Executive Director, Premier Health, Inc. Orange, California

“…through your leadership, our company grew to achieve over $500,000 in net revenue after the first twelve months of operation.”

J.P., General Manager, Redlands Home Healthcare Redlands, California

Through your assistance we have been able to reach far beyond what we ever dreamed of. Your expert advice has helped us prevent long-lasting mistakes with lasting consequences.